Adding Google-managed, auto-renewing SSL custom domain with cloudflare DNS - google-app-engine

Trying to enable auto renewing SSL on google app engine but google says DNS records can not be found.
I have added them for subdomain, tried doing all A and AAAA records or just CNAME record (as cloudflare doesn't allow CNAME and A,AAAA on same subdomain), but no luck with google finding DNS records (even after waiting 24 hours).

Whatever DNS records are needed by google to verify ownership of the domain should not be orange clouded/Proxied, they should be grey clouded/DNS only. Proxying will actually cause cloudflare to serve an A / AAAA record for their own servers/ips and on the requests to your origin server, they will use these entries. Google would not see the actual DNS entries to do the verification.
That being said, the A / AAAA records in your picture don't look like the verification records. I don't know anything about GCP/GAE, but generally the domain control verification records are TXT records or CNAME records. Regardless of this, the above applies. You need the DNS only mode to modify the actual DNS entries that everyone sees.

Related

Subdomain validation with DNS-TXT-record fails

I need to add a subdomain to Google App Engine. Looking at domains and subdomains, which are offered in my App Engine I realize, that only validation with DNS-TXT-record will work (the list of offered domains and subdomains doesn't contain protocol).
I added a DNS-TXT record to the subdomain measurement.mediaworx.com. Trying to validate it I get an error:
where the founded record is exactly those I copied from the validation screen:
What I tried:
To add a second TXT record - DNS validation fails,
To create for this subdomain A and CNAME records, exactly as other validated domains and subdomains have - DNS validation fails,
To delete all DNS records of this subdomain and add them next day - DNS validation fails,
To validate this subdomain with attached protocols, as https://measurement.mediaworx.com and http://measurement.mediaworx.com, with HTML file - validation of protocol+subdomain succeeded, but the subdomain in App Engine can't contain protocol - and DNS validation still fails.
In fact I still need to validate the subdomain without protocol with DNS-TXT record - and fail on it. Does somebody have an idea what to do in such case?

How to setup an HTTPS: site on Google Cloud Storage

I've got server sites set up on GCS but currently they are getting the "Not Secure" badge when someone browses them. I'd like to set them up with a load balancer and google managed certificates so they don't get flagged by the browser. Here is the structure of the sites (not the real domains or hosts):
flintstones.com
www.flintstones.com (alias for flintstones.com)
fred.flintstones.com (completely separate site - currently in it's own storage bucket)
barney.flintstones.com (completely separate site in it's own storage bucket)
Can I have just one load balancer for all of these or do I need a separate LB or each? I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea. I tried that and the cert was forever in "PROVISIONING" status. If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned? Long and short, is that I can never seem to get a cert that isn't in "PROVISIONING" status.
Thanks for your help!
Can I have just one load balancer for all of these or do I need a separate LB or each?
Yes, you can have one LB, with one IP address, and each domain configured to point to that IP address (by CNAME or A/AAAA record). The URL Map for the LB should then dispatch different paths to different backend buckets with host rules.
I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea.
This is up to you, both can work. Some factors to consider:
There is a limit of 100 domains on each SSL certificate
There is a limit of 15 certificates on each targetHTTPSProxy
If you use one certificate with multiple domains, a user visiting one of those domains can get a list of other domains on the certificate. If you use separate certificates, that is not the case.
It is a simpler config to have one certificate
Separate certificates is safer/easier if you need to change domains frequently.
If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned?
Google will only provision a certificate if the domains requested point to your Load Balancer. So you do need to set up the DNS records for all the domains.

Multiple DKIM and SPF DNS records

We uses both Mailgun and Google App engine mail services to send transaction emails from our products. Both needs DKIM and SPF text record in the DNS server. Is it possible to set multiple DKIM and SPF record in DNS configuration? Will it work?
You would only need a single SPF record as you can have multiple rules within it. Check this article for assistance on setting up more than just Google's entries in your SPF record.. Your DKIM signature will specify the subdomain on your domain to check for the signature key. Google Apps uses the google._domainkey subdomain when it specifies the DKIM location to lookup. I'm not sure what mailgun uses but chances are it won't overlap.
Update:
After a quick look around I found this article on Mailgun's website and would think your SPF record should look like this:
v=spf1 include:mailgun.org include:_spf.google.com ~all

Why does it take time to site to go up after I change the domain it was hosted?

I hosted my website using appengine ,after I change the subdomain on which it was hosted to another subdomain,It took some hours to again go live.Why is it so,and what takes the time?
http://support.powerdnn.com/KB/a604/dns-propagation-and-why-it-takes-so-long-explained.aspx
Why Does DNS Take So Long to Propagate? You have registered your
domain name, uploaded your website to one of our web servers, and
asked your registrar to either use our name servers or to point your
"A" record to your web server's IP address. Once that this is done,
what's the hold up?
When your website's address is entered into a browser, the computer
requests the IP address of the server housing your site from your
Internet Server Providers (ISP) DNS records. If the site is not listed
in the records it queries registrars to find out who the DNS start of
authority (SOA) is for your website. If you're using your registrar's
name server as your SOA, it looks up the "A" record for your domain
and returns the IP address of the server listed. If you are using our
name servers, the registrar points the browser to our DNS servers to
determine the IP Address for your domain name. From there the request
is sent to the server the domain is hosted on which then provides the
browser with the website.
To speed the loading of websites, each ISP caches a copy of DNS
records for a period of time, sometimes up to 48 hours. This means
that they make their own copy of the registrars' master DNS records,
and reads from them locally instead of making a direct request to the
domain registrar every time a request for your site is made. This
speeds up web surfing quite a bit by: decreasing the return time it
takes for a web browser to request a domain lookup and get an answer
and reducing the amount of traffic on the web. The downside to
caching the master DNS records is because each company or ISP only
updates their records every few days, any changes you make to your DNS
records are not reflected between those updates. Although our DNS
servers update every 15 minutes, the time between updates system wide
is not standardized so the delay can range from a few hours to several
days. This slow updating of the cached records is called propagation
delay because your website's DNS information is being propagated
across all DNS servers on the web. Once completed, everyone can visit
your new website.

How to create a list of recently expired domains?

I see many websites offering services to list recently expired domains. I also see many blogs on how to use these websites.
However, none of them explain what is necessary to generate the list in a computerized manner. Is it possible to do this without saving all the domain names and querying the whois to see if the registration is gone?
Well, you wouldnt check every domain against whois every day. Instead, you would keep track of the expiration date of each domain from whois, and only check the domains that have expired to see if they have been renewed or not.
WhoisFreaks provides a systematic, well parsed, and normalized expiring domains Whois file in CSV format. You just have to download the file and can get all the domains that are expiring in the same column. No need to re-arrange the domains. You can download the expiring domains and their Whois information for those domains that are expiring 1 month after and 1 month before the current date.
There are three ways to get WhoisFreaks expiring domains file.
You can download it directly from the billing dashboard manually.
The latest generated file will be e-mailed to you.
You can also get it thru an API endpoint.
You can see WhoisFreaks expiring domains whois sample file here.

Resources